Author: lukaszlenart
Date: Thu May 23 10:31:44 2013
New Revision: 1485640
URL: http://svn.apache.org/r1485640
Log:
Merged from STRUTS_2_3_14_X
Disable eval expressions [from revision 1469249]
Modified:
struts/struts2/trunk/ (props changed)
struts/struts2/trunk/core/src/main/java/org/apache/struts2/StrutsConstants.java
struts/struts2/trunk/core/src/main/java/org/apache/struts2/config/BeanSelectionProvider.java
struts/struts2/trunk/xwork-core/src/main/java/com/opensymphony/xwork2/XWorkConstants.java
struts/struts2/trunk/xwork-core/src/main/java/com/opensymphony/xwork2/config/impl/DefaultConfiguration.java
struts/struts2/trunk/xwork-core/src/main/java/com/opensymphony/xwork2/config/providers/XWorkConfigurationProvider.java
struts/struts2/trunk/xwork-core/src/main/java/com/opensymphony/xwork2/ognl/OgnlUtil.java
Propchange: struts/struts2/trunk/
------------------------------------------------------------------------------
Merged /struts/struts2/branches/STRUTS_2_3_14_X:r1469249
Modified:
struts/struts2/trunk/core/src/main/java/org/apache/struts2/StrutsConstants.java
URL:
http://svn.apache.org/viewvc/struts/struts2/trunk/core/src/main/java/org/apache/struts2/StrutsConstants.java?rev=1485640&r1=1485639&r2=1485640&view=diff
==============================================================================
---
struts/struts2/trunk/core/src/main/java/org/apache/struts2/StrutsConstants.java
(original)
+++
struts/struts2/trunk/core/src/main/java/org/apache/struts2/StrutsConstants.java
Thu May 23 10:31:44 2013
@@ -228,6 +228,9 @@ public final class StrutsConstants {
/** Enables caching of parsed OGNL expressions **/
public static final String STRUTS_ENABLE_OGNL_EXPRESSION_CACHE =
"struts.ognl.enableExpressionCache";
+ /** Enables evaluation of OGNL expressions **/
+ public static final String STRUTS_ENABLE_OGNL_EVAL_EXPRESSION =
"struts.ognl.enableOGNLEvalExpression";
+
/** The{@link org.apache.struts2.views.util.UrlHelper} implementation
class **/
public static final String STRUTS_URL_HELPER = "struts.view.urlHelper";
Modified:
struts/struts2/trunk/core/src/main/java/org/apache/struts2/config/BeanSelectionProvider.java
URL:
http://svn.apache.org/viewvc/struts/struts2/trunk/core/src/main/java/org/apache/struts2/config/BeanSelectionProvider.java?rev=1485640&r1=1485639&r2=1485640&view=diff
==============================================================================
---
struts/struts2/trunk/core/src/main/java/org/apache/struts2/config/BeanSelectionProvider.java
(original)
+++
struts/struts2/trunk/core/src/main/java/org/apache/struts2/config/BeanSelectionProvider.java
Thu May 23 10:31:44 2013
@@ -375,6 +375,7 @@ public class BeanSelectionProvider imple
// Convert Struts properties into XWork properties
convertIfExist(props, StrutsConstants.STRUTS_LOG_MISSING_PROPERTIES,
XWorkConstants.LOG_MISSING_PROPERTIES);
convertIfExist(props,
StrutsConstants.STRUTS_ENABLE_OGNL_EXPRESSION_CACHE,
XWorkConstants.ENABLE_OGNL_EXPRESSION_CACHE);
+ convertIfExist(props,
StrutsConstants.STRUTS_ENABLE_OGNL_EVAL_EXPRESSION,
XWorkConstants.ENABLE_OGNL_EVAL_EXPRESSION);
convertIfExist(props,
StrutsConstants.STRUTS_ALLOW_STATIC_METHOD_ACCESS,
XWorkConstants.ALLOW_STATIC_METHOD_ACCESS);
convertIfExist(props, StrutsConstants.STRUTS_CONFIGURATION_XML_RELOAD,
XWorkConstants.RELOAD_XML_CONFIGURATION);
Modified:
struts/struts2/trunk/xwork-core/src/main/java/com/opensymphony/xwork2/XWorkConstants.java
URL:
http://svn.apache.org/viewvc/struts/struts2/trunk/xwork-core/src/main/java/com/opensymphony/xwork2/XWorkConstants.java?rev=1485640&r1=1485639&r2=1485640&view=diff
==============================================================================
---
struts/struts2/trunk/xwork-core/src/main/java/com/opensymphony/xwork2/XWorkConstants.java
(original)
+++
struts/struts2/trunk/xwork-core/src/main/java/com/opensymphony/xwork2/XWorkConstants.java
Thu May 23 10:31:44 2013
@@ -13,6 +13,7 @@ public final class XWorkConstants {
public static final String DEV_MODE = "devMode";
public static final String LOG_MISSING_PROPERTIES = "logMissingProperties";
public static final String ENABLE_OGNL_EXPRESSION_CACHE =
"enableOGNLExpressionCache";
+ public static final String ENABLE_OGNL_EVAL_EXPRESSION =
"enableOGNLEvalExpression";
public static final String RELOAD_XML_CONFIGURATION =
"reloadXmlConfiguration";
public static final String ALLOW_STATIC_METHOD_ACCESS =
"allowStaticMethodAccess";
public static final String XWORK_LOGGER_FACTORY = "xwork.loggerFactory";
Modified:
struts/struts2/trunk/xwork-core/src/main/java/com/opensymphony/xwork2/config/impl/DefaultConfiguration.java
URL:
http://svn.apache.org/viewvc/struts/struts2/trunk/xwork-core/src/main/java/com/opensymphony/xwork2/config/impl/DefaultConfiguration.java?rev=1485640&r1=1485639&r2=1485640&view=diff
==============================================================================
---
struts/struts2/trunk/xwork-core/src/main/java/com/opensymphony/xwork2/config/impl/DefaultConfiguration.java
(original)
+++
struts/struts2/trunk/xwork-core/src/main/java/com/opensymphony/xwork2/config/impl/DefaultConfiguration.java
Thu May 23 10:31:44 2013
@@ -319,6 +319,7 @@ public class DefaultConfiguration implem
builder.factory(OgnlUtil.class, Scope.SINGLETON);
builder.constant(XWorkConstants.DEV_MODE, "false");
builder.constant(XWorkConstants.LOG_MISSING_PROPERTIES, "false");
+ builder.constant(XWorkConstants.ENABLE_OGNL_EVAL_EXPRESSION, "false");
builder.constant(XWorkConstants.RELOAD_XML_CONFIGURATION, "false");
return builder.create(true);
}
Modified:
struts/struts2/trunk/xwork-core/src/main/java/com/opensymphony/xwork2/config/providers/XWorkConfigurationProvider.java
URL:
http://svn.apache.org/viewvc/struts/struts2/trunk/xwork-core/src/main/java/com/opensymphony/xwork2/config/providers/XWorkConfigurationProvider.java?rev=1485640&r1=1485639&r2=1485640&view=diff
==============================================================================
---
struts/struts2/trunk/xwork-core/src/main/java/com/opensymphony/xwork2/config/providers/XWorkConfigurationProvider.java
(original)
+++
struts/struts2/trunk/xwork-core/src/main/java/com/opensymphony/xwork2/config/providers/XWorkConfigurationProvider.java
Thu May 23 10:31:44 2013
@@ -151,6 +151,7 @@ public class XWorkConfigurationProvider
props.setProperty(XWorkConstants.DEV_MODE, Boolean.FALSE.toString());
props.setProperty(XWorkConstants.LOG_MISSING_PROPERTIES,
Boolean.FALSE.toString());
props.setProperty(XWorkConstants.ENABLE_OGNL_EXPRESSION_CACHE,
Boolean.TRUE.toString());
+ props.setProperty(XWorkConstants.ENABLE_OGNL_EVAL_EXPRESSION,
Boolean.FALSE.toString());
props.setProperty(XWorkConstants.RELOAD_XML_CONFIGURATION,
Boolean.FALSE.toString());
}
Modified:
struts/struts2/trunk/xwork-core/src/main/java/com/opensymphony/xwork2/ognl/OgnlUtil.java
URL:
http://svn.apache.org/viewvc/struts/struts2/trunk/xwork-core/src/main/java/com/opensymphony/xwork2/ognl/OgnlUtil.java?rev=1485640&r1=1485639&r2=1485640&view=diff
==============================================================================
---
struts/struts2/trunk/xwork-core/src/main/java/com/opensymphony/xwork2/ognl/OgnlUtil.java
(original)
+++
struts/struts2/trunk/xwork-core/src/main/java/com/opensymphony/xwork2/ognl/OgnlUtil.java
Thu May 23 10:31:44 2013
@@ -56,6 +56,7 @@ public class OgnlUtil {
private TypeConverter defaultConverter;
static boolean devMode = false;
static boolean enableExpressionCache = true;
+ private boolean enableEvalExpression;
@Inject
public void setXWorkConverter(XWorkConverter conv) {
@@ -67,11 +68,20 @@ public class OgnlUtil {
devMode = "true".equals(mode);
}
- @Inject("enableOGNLExpressionCache")
+ @Inject(XWorkConstants.ENABLE_OGNL_EXPRESSION_CACHE)
public static void setEnableExpressionCache(String cache) {
enableExpressionCache = "true".equals(cache);
}
+ @Inject(value = XWorkConstants.ENABLE_OGNL_EVAL_EXPRESSION, required =
false)
+ public void setEnableEvalExpression(String evalExpression) {
+ enableEvalExpression = "true".equals(evalExpression);
+ if(enableEvalExpression){
+ LOG.warn("Enabling OGNL expression evaluation may introduce
security risks " +
+ "(see
http://struts.apache.org/release/2.3.x/docs/s2-013.html for further details)");
+ }
+ }
+
/**
* Sets the object's properties using the default type converter,
defaulting to not throw
* exceptions for problems setting the properties.
@@ -217,7 +227,7 @@ public class OgnlUtil {
}
protected void setValue(String name, Map<String, Object> context, Object
root, Object value, boolean evalName) throws OgnlException {
- Object tree = compile(name);
+ Object tree = compile(name, context);
if (!evalName && isEvalExpression(tree, context)) {
throw new OgnlException("Eval expression cannot be used as
parameter name");
}
@@ -227,30 +237,46 @@ public class OgnlUtil {
private boolean isEvalExpression(Object tree, Map<String, Object> context)
throws OgnlException {
if (tree instanceof SimpleNode) {
SimpleNode node = (SimpleNode) tree;
- return node.isEvalChain((OgnlContext) context);
+ OgnlContext ognlContext = null;
+
+ if (context!=null && context instanceof OgnlContext) {
+ ognlContext = (OgnlContext) context;
+ }
+ return node.isEvalChain(ognlContext);
}
return false;
}
public Object getValue(String name, Map<String, Object> context, Object
root) throws OgnlException {
- return Ognl.getValue(compile(name), context, root);
+ return Ognl.getValue(compile(name, context), context, root);
}
public Object getValue(String name, Map<String, Object> context, Object
root, Class resultType) throws OgnlException {
- return Ognl.getValue(compile(name), context, root, resultType);
+ return Ognl.getValue(compile(name, context), context, root,
resultType);
}
public Object compile(String expression) throws OgnlException {
+ return compile(expression, null);
+ }
+
+ public Object compile(String expression, Map<String, Object> context)
throws OgnlException {
+ Object tree;
if (enableExpressionCache) {
- Object o = expressions.get(expression);
- if (o == null) {
- o = Ognl.parseExpression(expression);
- expressions.putIfAbsent(expression, o);
+ tree = expressions.get(expression);
+ if (tree == null) {
+ tree = Ognl.parseExpression(expression);
+ expressions.putIfAbsent(expression, tree);
}
- return o;
- } else
- return Ognl.parseExpression(expression);
+ } else {
+ tree = Ognl.parseExpression(expression);
+ }
+
+ if (!enableEvalExpression && isEvalExpression(tree, context)) {
+ throw new OgnlException("Eval expressions has been disabled");
+ }
+
+ return tree;
}
/**
@@ -312,7 +338,7 @@ public class OgnlUtil {
PropertyDescriptor toPd = toPdHash.get(fromPd.getName());
if ((toPd != null) && (toPd.getWriteMethod() != null)) {
try {
- Object expr = compile(fromPd.getName());
+ Object expr = compile(fromPd.getName(), context);
Object value = Ognl.getValue(expr, contextFrom,
from);
Ognl.setValue(expr, contextTo, to, value);
} catch (OgnlException e) {
